Re: httpd incorrectly handles OCSP stapling
On Mon, Aug 14, 2017 at 08:00:11AM +0200, Andreas Bartelt wrote: > On 08/13/17 08:50, Joel Sing wrote: > > On Friday 11 August 2017 03:31:27 lists+b...@ggp2.com wrote: > ... > > > > This should already be fixed in -current. > > > > I've just tested OCSP stapling via httpd with multiple domains on current > (all domains also resolve to the same IP address in this setup). I'm > observing the same problem, i.e., OCSP stapling only works for the first > domain which has been defined in httpd.conf. I just confirmed on the latest snapshot (with the ALPN fix) that OCSP is still broken for multiple domains. I have 2 domains test1.ggp2.com and test2.ggp2.com. Whichever domain defines the OCSP certificate first works fine. eg server "test1.ggp2.com" { ocsp... } server "test2.ggp2.com" { ocsp... } Then test1.ggp2.com works, and if server "test2.ggp2.com" { ocsp... } server "test1.ggp2.com" { ocsp... } then test2.ggp2.com works. The error firefox gives is: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, which is different than I was seeing before. Chrome now works, and ssl labs reports "Invalid No response provided". httpd.conf is as follows: ext_addr="*" server "default" { listen on $ext_addr port 80 block return 302 "https://test1.ggp2.com$REQUEST_URI"; } server "test1.ggp2.com" { listen on $ext_addr port 80 alias "test2.ggp2.com" block return 301 "https://$SERVER_NAME$REQUEST_URI"; } server "test1.ggp2.com" { listen on $ext_addr tls port 443 hsts { subdomains preload } tls { certificate "/etc/ssl/acme/test1.ggp2.com.fullchain.pem" key "/etc/ssl/acme/private/test1.ggp2.com.key" ocsp "/etc/ssl/acme/test1.ggp2.com.der" } location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } } server "test2.ggp2.com" { listen on $ext_addr tls port 443 hsts { subdomains preload } tls { certificate "/etc/ssl/acme/test2.ggp2.com.fullchain.pem" key "/etc/ssl/acme/private/test2.ggp2.com.key" ocsp "/etc/ssl/acme/test2.ggp2.com.der" } location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } }
Re: httpd incorrectly handles OCSP stapling
On 08/13/17 08:50, Joel Sing wrote: On Friday 11 August 2017 03:31:27 lists+b...@ggp2.com wrote: ... This should already be fixed in -current. I've just tested OCSP stapling via httpd with multiple domains on current (all domains also resolve to the same IP address in this setup). I'm observing the same problem, i.e., OCSP stapling only works for the first domain which has been defined in httpd.conf.
Re: httpd incorrectly handles OCSP stapling
On Sun, Aug 13, 2017 at 04:50:11PM +1000, Joel Sing wrote: > This should already be fixed in -current. Thanks, Joel. I'll get some test domains up one one of my -current systems to confirm. I don't have any exposed at the moment, and combed through the CVS logs to see if anything obvious had been committed before posting the bug (although I obviously missed it).
Re: httpd incorrectly handles OCSP stapling
On Friday 11 August 2017 03:31:27 lists+b...@ggp2.com wrote: > >Synopsis: httpd incorrectly handles OCSP stapling > >Category: system > > >Environment: > System : OpenBSD 6.1 > Details : OpenBSD 6.1 (GENERIC.MP) #19: Thu Aug 3 14:59:44 CEST > 2017 > rob...@syspatch-61-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERI > C.MP > > Architecture: OpenBSD.amd64 > Machine : amd64 > > >Description: > I run multiple domains on an httpd instance. When I tried to enable > OCSP stapling for several domains, only the first defined domain would work > properly. Regardless of whether I had defined an OCSP block or not for > subsequent domains after the first, I'm suspecting that the OCSP response > stapled to the first domain is used for all the others. Firefox refuses to > connect to any but the first defined domains, and gives an OCSP error. > > (also apologies if this is a repost, I didn't have the alias set up > yet, and believe the majordomo "confirm" mail went to /dev/null) > > >How-To-Repeat: > Get OCSP responses: > > ocspcheck -N -o /etc/ssl/acme/domain1.com.der > /etc/ssl/acme/domain1.com.fullchain.pem ocspcheck -N -o > /etc/ssl/acme/domain2.com.der /etc/ssl/acme/domain2.com.fullchain.pem > Define multiple server{} blocks in httpd.conf, and give each an ocsp > defintion: > server "domain1.com" { > listen on $ext_addr tls port 443 > > tls { > certificate "/etc/ssl/acme/domain1.com.fullchain.pem" > key "/etc/ssl/acme/private/domain1.com.key" > ocsp "/etc/ssl/acme/domain1.com.der" > } > } > > server "domain2.com" { > listen on $ext_addr tls port 443 > > tls { > certificate "/etc/ssl/acme/domain2.com.fullchain.pem" > key "/etc/ssl/acme/private/domain2.com.key" > ocsp "/etc/ssl/acme/domain2.com.der" > } > } > > Try to visit domain2.com. Whether or not domain2 has the ocsp > definition is irrelevant; Firefox fails to access the domain with an OCSP > error. domain1.com works fine in either case. > > >Fix: > Fix is unknown, but would involve OCSP stapling being handled properly > for multiple domains. It could be SNI related. This should already be fixed in -current.
httpd incorrectly handles OCSP stapling
>Synopsis: httpd incorrectly handles OCSP stapling >Category: system >Environment: System : OpenBSD 6.1 Details : OpenBSD 6.1 (GENERIC.MP) #19: Thu Aug 3 14:59:44 CEST 2017 rob...@syspatch-61-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Architecture: OpenBSD.amd64 Machine : amd64 >Description: I run multiple domains on an httpd instance. When I tried to enable OCSP stapling for several domains, only the first defined domain would work properly. Regardless of whether I had defined an OCSP block or not for subsequent domains after the first, I'm suspecting that the OCSP response stapled to the first domain is used for all the others. Firefox refuses to connect to any but the first defined domains, and gives an OCSP error. (also apologies if this is a repost, I didn't have the alias set up yet, and believe the majordomo "confirm" mail went to /dev/null) >How-To-Repeat: Get OCSP responses: ocspcheck -N -o /etc/ssl/acme/domain1.com.der /etc/ssl/acme/domain1.com.fullchain.pem ocspcheck -N -o /etc/ssl/acme/domain2.com.der /etc/ssl/acme/domain2.com.fullchain.pem Define multiple server{} blocks in httpd.conf, and give each an ocsp defintion: server "domain1.com" { listen on $ext_addr tls port 443 tls { certificate "/etc/ssl/acme/domain1.com.fullchain.pem" key "/etc/ssl/acme/private/domain1.com.key" ocsp "/etc/ssl/acme/domain1.com.der" } } server "domain2.com" { listen on $ext_addr tls port 443 tls { certificate "/etc/ssl/acme/domain2.com.fullchain.pem" key "/etc/ssl/acme/private/domain2.com.key" ocsp "/etc/ssl/acme/domain2.com.der" } } Try to visit domain2.com. Whether or not domain2 has the ocsp definition is irrelevant; Firefox fails to access the domain with an OCSP error. domain1.com works fine in either case. >Fix: Fix is unknown, but would involve OCSP stapling being handled properly for multiple domains. It could be SNI related. dmesg: OpenBSD 6.1 (GENERIC.MP) #19: Thu Aug 3 14:59:44 CEST 2017 rob...@syspatch-61-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4141355008 (3949MB) avail mem = 4011163648 (3825MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (53 entries) bios0: vendor Award Software International, Inc. version "F7" date 11/30/2009 bios0: Gigabyte Technology Co., Ltd. GA-MA785GM-US2H acpi0 at bios0: rev 0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP HPET MCFG TAMG APIC acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6(S3) SBAZ(S4) P2P_(S5) PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) PCE9(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpihpet0 at acpi0: 14318180 Hz acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) II X2 270 Processor, 3415.82 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: AMD erratum 721 detected and fixed cpu0: TSC frequency 3415823080 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) II X2 270 Processor, 3415.46 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu1: AMD erratum 721 detected and fixed cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 3 (P2P_) acpiprt2 at acpi0: bus -1 (PCE2) acpiprt3 at acpi0: bus -1 (PCE3) acpiprt4 at acpi0: bus -1 (PCE4) ac